On Thu, Jul 19, 2001 at 06:03:00PM -0400, Kris von Mach wrote:
> Something very weird started happening yesterday, and I have been trying to
> figure out what it might be, and I was unable to narrow it down.
> I have been running qmail with rbl/rss and also running dnscache on the
> same machine for a while without any problems.
> Yesterday my dnscache log started filling up with these error messages:
(log excerpts trimmed: )
> @400000003b574c21126fcb94 query 27874 7f000001:e77a:701d 1
> @400000003b574c2113c47684 query 27875 7f000001:fccb:eebc 12
> @400000003b574c2113eb6744 query 27876 7f000001:fccb:eebc 16
> @400000003b574c2113f087c4 query 27877 7f000001:e77a:701d 1
All these request are from localhost; so it could very well be
rblsmtpd causing these requests.
> about 20 or so requests like this a second... about 95% of them are for
> 150.68.39.208.relays.mail-abuse.org/150.68.39.208.blackholes.mail-abuse.org
> which is (web01.dc.intira.com, not my server) and the other 5% are for
> 2.110.10.209.in-addr.arpa (my server)
> my qmail-smtp and qmail-send logs don't show anything interesting...
What does that mean? And how do you know?
[re-ordered]
> exec softlimit -m 100000000 -t600 tcpserver -S -R -H -c100 -x
> /home/vpopmail/etc/tcp.smtp.cdb -u $QMAILUID -g $NOFILESGID 0 smtp rblsmtpd \
> -r blackholes.mail-abuse.org \
> -r 'relays.mail-abuse.org:Open relay problem - see
> http://www.mail-abuse.com/cgi-bin/nph-rss?%IP%' \
> qmail-smtpd splogger smtpd 2>&1
Use '-v' with tcpserver to log connection attempts (which is what
would cause rblsmtpd to do lookups). What version of ucspi-tcp do you
have? My copy of 0.88 doesn't have an '-S' option.
If you are getting connection attempts from this address, try using
recordio to see what the host is sending to rblsmtpd (and possibly
qmail-smtpd).
> My antivirus program (kaspersky's) didn't like this at all and was
> generating this error:
Well, then, you must have _something_ interesting in your qmail logs,
since something is reaching your antivirus thingy.
[...]
> My qmail setup is done according to Matt Simerson's qmail-vpopmail-freebsd
> toaster.
I'm not familiar with that document.
> RBL and RSS tests shows that everything is working fine...
What does that mean? What sort of tests did you do? What is the
'everything' that is working fine? Obviously, it's not, since you're
asking the question here.
> So the only thing that I can think of that might be different is that
> MAPS changed something?
No yet.
> I know I haven't changed anything for over a month now (and this
> is a fairly busy server). The thing that really freaks me out is that I
> worked on Deloitte Consulting's web site around a year ago, and now my
> dnscache is filling up with requests for
> 150.68.39.208.blackholes.mail-abuse.org which the IP address is for
> web01.dc.intira.com... I hope the two are not related in anyway.
We have no way of knowing that.
Vince.
